Fix databases/mariadb* hostname verification when building against LibreSSL

LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL,
it doesn't calculate the length of the hostname passed in case
chklen/namelen == 0. This means that the check in MariaDB always
fails if built against LibreSSL. This forces adminstrators to disable
hostname verification, which weakens security (hence the MFH request below).

Note that the fix has no negative implications if built against OpenSSL,
as its implementation calls strlen(hostname) in case namelen == 0.

See also https://github.com/MariaDB/server/pull/562

Approved by:	ssl blanket
MFH:		2018Q1

7 files changed, 63 insertions, 6 deletions

diff --git a/databases/mariadb101-client/files/patch-sql-common_client.c b/databases/mariadb101-client/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..85e857c65dc8
--- /dev/null
+++ b/databases/mariadb101-client/files/patch-sql-common_client.c
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
diff --git a/databases/mariadb101-server/Makefile b/databases/mariadb101-server/Makefile
index 4afc725d95c8..0ac410c2e65c 100644
--- a/databases/mariadb101-server/Makefile
+++ b/databases/mariadb101-server/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME?=	mariadb
 PORTVERSION=	10.1.30
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://ftp.osuosl.org/pub/${SITESDIR}/ \
 		http://mirrors.supportex.net/${SITESDIR}/ \
diff --git a/databases/mariadb101-server/files/patch-sql-common_client.c b/databases/mariadb101-server/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..85e857c65dc8
--- /dev/null
+++ b/databases/mariadb101-server/files/patch-sql-common_client.c
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
diff --git a/databases/mariadb102-client/Makefile b/databases/mariadb102-client/Makefile
index 40a7b838199d..528a95e9cc6d 100644
--- a/databases/mariadb102-client/Makefile
+++ b/databases/mariadb102-client/Makefile
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	mariadb
-PORTREVISION=	0
+PORTREVISION=	1
 PKGNAMESUFFIX=	102-client
 
 COMMENT=	Multithreaded SQL database (client)
diff --git a/databases/mariadb102-client/files/patch-sql-common_client.c b/databases/mariadb102-client/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..d222e5f37be4
--- /dev/null
+++ b/databases/mariadb102-client/files/patch-sql-common_client.c
@@ -0,0 +1,23 @@
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
++++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
+ #define CONNECT_TIMEOUT 0
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL)
++#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
++#endif
++
+ #include "client_settings.h"
+ #include <ssl_compat.h>
+ #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
diff --git a/databases/mariadb102-server/Makefile b/databases/mariadb102-server/Makefile
index 580a0c8252ae..68b4fc41f91a 100644
--- a/databases/mariadb102-server/Makefile
+++ b/databases/mariadb102-server/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME?=	mariadb
 PORTVERSION=	10.2.12
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://mirrors.supportex.net/${SITESDIR}/ \
 		http://mirror2.hs-esslingen.de/pub/Mirrors/${SITESDIR}/ \
diff --git a/databases/mariadb102-server/files/patch-sql-common_client.c b/databases/mariadb102-server/files/patch-sql-common_client.c
index ad77fc7f4321..d222e5f37be4 100644
--- a/databases/mariadb102-server/files/patch-sql-common_client.c
+++ b/databases/mariadb102-server/files/patch-sql-common_client.c
@@ -1,6 +1,6 @@
---- sql-common/client.c.orig	2017-05-14 23:13:18 UTC
-+++ sql-common/client.c
-@@ -104,6 +104,10 @@ my_bool	net_flush(NET *net);
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
++++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
  #define CONNECT_TIMEOUT 0
  #endif
  
@@ -11,3 +11,13 @@
  #include "client_settings.h"
  #include <ssl_compat.h>
  #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);